Since mid-December 2022, threat actors have been increasingly exploiting Microsoft OneNote files to deliver malware and compromise victims. Last week, WaterISAC shared a DHS report on attackers successfully utilizing weaponized Microsoft OneNote files for malware distribution. Threat actors, including ransomware gangs, are actively using this delivery method to infect organizations. Specifically, threat actors behind the QakBot campaigns successfully used this tactic to compromise an organization and infect its network with BlackBasta ransomware. To help organizations proactively defend against this activity, BleepingComputer posted comprehensive guidance on how to block malicious Microsoft OneNote files. Read more detailed guidance on blocking Microsoft OneNote at BleepingComputer.

Additional WaterISAC Reporting on the OneNote infection vector and/or Qakbot/Qbot:

• Threat Awareness - Use of Microsoft OneNote to Spread Malicious Payloads Rising
• Threat Awareness – Black Basta Ransomware Employs Qakbot in Latest Attack Chain
• Qbot Displaces Emotet as Most Prevalent Malware in December 2022, New Report Finds
• Threat Awareness – Threat Actors Exploiting Microsoft OneNote Attachments to Spread Malware
• Threat Awareness – Qbot Steals Sensitive Data Minutes after the Initial Infection
• Zscaler Report - OneNote: A Growing Threat for Malware Distribution